Security Issue: Hardcoded Firebase Secrets in Codebase

[revolutionarybukhari]

Hi team,

I have discovered a security issue in our codebase: our Firebase API key and other sensitive configuration values were hardcoded in src/common/services/firebaseClient.js. Storing secrets in source code is a security risk, as it can lead to accidental exposure and unauthorized access if the repository is ever shared or made public.

What I’ve Done

• Refactored the code to load all Firebase configuration values from environment variables instead of hardcoding them.
• Added validation to ensure the app will not start if any required Firebase config value is missing.
• Updated .gitignore to ensure .env and all .env.* files are excluded from version control.
• Added security comments to guide contributors on secret management.
• Created a pull request template to standardize future security-related PRs.

Actions Required

• Rotate the exposed Firebase API key and related credentials in the Firebase console, as they should be considered compromised.
• Update your local .env file with the new Firebase credentials after rotation.
• Review and merge the related pull request once submitted.

Example .env file:

FIREBASE_API_KEY=your_firebase_api_key
FIREBASE_AUTH_DOMAIN=your_firebase_auth_domain
FIREBASE_PROJECT_ID=your_firebase_project_id
FIREBASE_STORAGE_BUCKET=your_firebase_storage_bucket
FIREBASE_MESSAGING_SENDER_ID=your_firebase_messaging_sender_id
FIREBASE_APP_ID=your_firebase_app_id
FIREBASE_MEASUREMENT_ID=your_firebase_measurement_id

Please let me know if you have any questions, concerns, or suggestions regarding this security update.

Thank you!